Features

net.wars: The dataveillance society

By now, I assume everyone's heard the news that we are about to become a dataveillance society. It's all rather depressing, really.

About a month ago, I began hearing a general despair that data retention wasn't being covered in the national press. Ever since January or so, the Home Office has been getting ready to release the draft rules for data retention under the Anti-Terrorism, Crime and Security Act. You remember that piece of legislation: it's one of those bills that contains everything law enforcement wanted five years ago but couldn't get through until September 11. We are only now discovering the real consequences of that legislation as the Codes of Practice are developed to implement it.

"Data" in this context is not the contents of your email, or even, thanks to FIPR and Caspar Bowden's efforts, the contents of specific URLs. Data is traffic data: email headers, sites visited, login/logout records, cell site data for the mobile phone companies, and so on. While this sounds less invasive than the actual contents of email and so on, in fact traffic analysis can reveal an extremely detailed picture of anyone's life. Bowden's refereed paper on the subject, "Closed Circuit Television for Inside Your Head" , explains why. In one of the few pieces of research on the subject, Alberto Escudero Pascual showed that tracking the 400 people in his department from cell to cell for a month allowed him to create a detailed picture of their interrelationships. The subsequent paper is worth reading.

I wrote the story up for the Guardian , where it finally appeared on Thursday, unfortunately (for reasons of space and advertising) not until after the story had broken about Europe . One important bulwark against the Home Office's plans for data retention was that they contravened the European Parliament's stand against allowing this type of mass retention. In November 2001, and again as recently as April, it seemed clear that the provisions in the 1997 Privacy Directive would stand. These prohibited telcos and ISPs from retaining traffic data for longer than required for business purposes, primarily billing. On May 30, enough pixels in the European Parliament changed color that it voted to overturn those provisions. Countries are now free to legislate data retention if they want to. Apparently lots of them do. We already knew Britain does.

What may not be the same in other countries is the breadth of ATCS. A revealing bit of debate from the House of Lords that Bowden sent me, shows the thinking. Even minor crimes - joyriding, working illegally - may, in this thinking, be linked to terrorism. Perhaps the apparent joyrider is really checking out a military base. Perhaps the illegal worker is part of a black economy funding terrorists. And perhaps my neighbour across the street who's always washing his car (three times in one week, once!) is ensuring a forensic examination won't find anything. This way lies madness and paranoia, not qualities Britain generally likes to think of as part of its national heritage.

The draft Code of Practice still hasn't been published. At last research, the Information Commissioner (formerly the Data Protection Registrar), was getting legal advice, due soon, on whether the draft Code of Practice contravenes the data protection laws. Under the 1998 Data Protection Act, which is the national legislation supporting the 1997 European Privacy Directive, companies may only keep traffic data as long as it's needed for business purposes - unless a legal requirement to do otherwise is conferred upon them. The question is whether a voluntary Code of Practice, as the ATCS one will be until or unless it's reviewed and made mandatory, is a requirement. The Information Commissioner isn't sure. The Home Office seemed pretty confident.

Latest rumour has it that the Information Commissioner's legal advice will hold that the clauses are not legal. But even so: if ISPs and telcos refuse to comply with the Code of Practice on the grounds that it opens them up to legal liability, in a year when the Code of Practice is reviewed it will be made mandatory. Great.

It seems likely in a global medium that large amounts of servers might shift off-shore somewhere. It may not matter as much as we think. Even with broadband rolled out to only a tiny percentage of the population, I know people who run IRC, Web, and email servers at home and manage their own network connections. In that world, we are all "communications service providers". Are you ready to store your Web logs and email headers for up to two years, as some of the draft versions of the Code of Practice demand?

It's a curious irony that despite Britain's general distrust of a federated Europe, the court of ultimate appeal is now the European Court of Human Rights in Strasbourg. The European Parliament's decision can't be appealed there, however. Cases can only be brought after individual nations bring in laws mandating data retention, challenging them under the European Convention on Human Rights. It will, says Bowden, be a blue-sky argument, as there is no history of jurisprudence on this subject.

But it can take five years and £30,000 to bring a case to the ECHR, andt during that time the machinery of dataveillance can be built and turned on. By that time, even if the Court rules that systematic surveillance of the communications traffic of an entire nation's population is illegal under the ECHR, it may be impossible to dismantle. By the time of the Queen's diamond jubilee, if she has one, we may all be watched in more detail than she is.